azuread_privileged_access_group_eligibility_schedule not working properly

[rdvansloten]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.8

AzureRM Provider Version

4.x (latest)

Affected Resource(s)/Data Source(s)

azuread_privileged_access_group_eligibility_schedule

Terraform Configuration Files

resource "azuread_privileged_access_group_eligibility_schedule" "main" {
  for_each = {
    for assignment in local.privileged_group_assignments :
    "${assignment.group_name}-${assignment.privileged_group}" => assignment
  }

  # Group being assigned eligibility
  group_id = azuread_group.main["${each.value.group_name}-${each.value.subscription_id}"].object_id

  # Principal ID resolved from pre-existing privileged group
  principal_id = data.azuread_group.privileged[each.value.privileged_group].object_id

  assignment_type = "member"
  expiration_date = local.end_date
  justification   = "Set by REDACTED repository."
}

Debug Output/Panic Output

Terraform will perform the following actions:
  # azuread_privileged_access_group_eligibility_schedule.main["REDACTED"] will be updated in-place
  ~ resource "azuread_privileged_access_group_eligibility_schedule" "main" {
      ~ expiration_date      = "2025-06-24T07:46:46Z" -> (known after apply)
        id                   = "REDACTED"
        # (10 unchanged attributes hidden)
    }
Plan: 0 to add, 4 to change, 0 to destroy.

---

│ Error: creating updated eligibility schedule request: unexpected status 400 (400 Bad Request) with error: RoleAssignmentExists: The Role assignment already exists.
│ 
│   with azuread_privileged_access_group_eligibility_schedule.main["REDACTED"],
│   on pim.tf line 31, in resource "azuread_privileged_access_group_eligibility_schedule"

Expected Behaviour

Expected it to update my end date for assignment

Actual Behaviour

It didn't and said an assignment already exists.

Steps to Reproduce

terraform apply this config.

Important Factoids

Deleting the assignment entirely and recreating it seems to work properly, but I am not gonna be doing that for 100+ AD groups.

References

No response

[rcskosir]

👋 Thank you for taking the time to open this issue. I am going to move this issue to the azuread repo where the code related to this issue is.

[SPALLADI]

I am also seeing exact issue. Can this be fixed please? Otherwise deleting and re-creating is not a possible option for us.

[aaganrmu]

This is the same issue as #1412